linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
From: Ram Pai <linuxram@us.ibm.com>
To: Christoph Hellwig <hch@lst.de>
Cc: Anshuman Khandual <anshuman.linux@gmail.com>,
	Alexey Kardashevskiy <aik@ozlabs.ru>,
	Mike Anderson <andmike@linux.ibm.com>,
	linux-kernel@vger.kernel.org,
	Claudio Carvalho <cclaudio@linux.ibm.com>,
	Paul Mackerras <paulus@samba.org>,
	linuxppc-dev@lists.ozlabs.org,
	Thiago Jung Bauermann <bauerman@linux.ibm.com>
Subject: Re: Re: [RFC PATCH 02/12] powerpc: Add support for adding an ESM blob to the zImage wrapper
Date: Tue, 21 May 2019 08:09:35 -0700	[thread overview]
Message-ID: <20190521150935.GB8402@ram.ibm.com> (raw)
In-Reply-To: <20190521051326.GC29120@lst.de>

On Tue, May 21, 2019 at 07:13:26AM +0200, Christoph Hellwig wrote:
> On Tue, May 21, 2019 at 01:49:02AM -0300, Thiago Jung Bauermann wrote:
> > From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
> > 
> > For secure VMs, the signing tool will create a ticket called the "ESM blob"
> > for the Enter Secure Mode ultravisor call with the signatures of the kernel
> > and initrd among other things.
> > 
> > This adds support to the wrapper script for adding that blob via the "-e"
> > option to the zImage.pseries.
> > 
> > It also adds code to the zImage wrapper itself to retrieve and if necessary
> > relocate the blob, and pass its address to Linux via the device-tree, to be
> > later consumed by prom_init.
> 
> Where does the "BLOB" come from?  How is it licensed and how can we
> satisfy the GPL with it?

The "BLOB" is not a piece of code. Its just a piece of data that gets
generated by our build tools. This data contains the
signed hash of the kernel, initrd, and kernel command line parameters.
Also it contains any information that the creator the the BLOB wants to
be made available to anyone needing it, inside the
secure-virtual-machine. All of this is integrity-protected and encrypted
to safegaurd it when at rest and at runtime.
 
Bottomline -- Blob is data, and hence no licensing implication. And due
to some reason, even data needs to have licensing statement, we can
make it available to have no conflicts with GPL.


-- 
Ram Pai


  reply	other threads:[~2019-05-21 15:12 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-21  4:49 [PATCH 00/12] Secure Virtual Machine Enablement Thiago Jung Bauermann
2019-05-21  4:49 ` [PATCH 01/12] powerpc/pseries: Introduce option to build secure virtual machines Thiago Jung Bauermann
2019-05-21  4:49 ` [RFC PATCH 02/12] powerpc: Add support for adding an ESM blob to the zImage wrapper Thiago Jung Bauermann
2019-05-21  5:13   ` Christoph Hellwig
2019-05-21 15:09     ` Ram Pai [this message]
2019-05-21 23:15     ` Paul Mackerras
2019-05-21  4:49 ` [RFC PATCH 03/12] powerpc/prom_init: Add the ESM call to prom_init Thiago Jung Bauermann
2019-06-26  7:44   ` Alexey Kardashevskiy
2019-06-28 22:33     ` Thiago Jung Bauermann
2019-07-01  3:13       ` Alexey Kardashevskiy
2019-05-21  4:49 ` [PATCH 04/12] powerpc/pseries/svm: Add helpers for UV_SHARE_PAGE and UV_UNSHARE_PAGE Thiago Jung Bauermann
2019-05-21  4:49 ` [PATCH 05/12] powerpc/pseries: Add and use LPPACA_SIZE constant Thiago Jung Bauermann
2019-05-21  4:49 ` [PATCH 06/12] powerpc/pseries/svm: Use shared memory for LPPACA structures Thiago Jung Bauermann
2019-05-21  4:49 ` [PATCH 07/12] powerpc/pseries/svm: Use shared memory for Debug Trace Log (DTL) Thiago Jung Bauermann
2019-05-21  4:49 ` [PATCH 08/12] powerpc/pseries/svm: Export guest SVM status to user space via sysfs Thiago Jung Bauermann
2019-05-21  4:49 ` [PATCH 09/12] powerpc/pseries/svm: Disable doorbells in SVM guests Thiago Jung Bauermann
2019-05-21  4:49 ` [PATCH 10/12] powerpc/pseries/iommu: Don't use dma_iommu_ops on secure guests Thiago Jung Bauermann
2019-05-21  4:49 ` [PATCH 11/12] powerpc/pseries/svm: Force SWIOTLB for " Thiago Jung Bauermann
2019-05-21  5:15   ` Christoph Hellwig
2019-05-23  5:15     ` Thiago Jung Bauermann
2019-05-21  4:49 ` [PATCH 12/12] powerpc/configs: Enable secure guest support in pseries and ppc64 defconfigs Thiago Jung Bauermann
2019-06-07 14:47   ` [RFC PATCH 1/1] powerpc/pseries/svm: Unshare all pages before kexecing a new kernel Ram Pai
2019-06-01 17:11 ` [PATCH 00/12] Secure Virtual Machine Enablement Thiago Jung Bauermann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190521150935.GB8402@ram.ibm.com \
    --to=linuxram@us.ibm.com \
    --cc=aik@ozlabs.ru \
    --cc=andmike@linux.ibm.com \
    --cc=anshuman.linux@gmail.com \
    --cc=bauerman@linux.ibm.com \
    --cc=cclaudio@linux.ibm.com \
    --cc=hch@lst.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=paulus@samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).